summaryrefslogtreecommitdiffstats
path: root/install/tools/ipa-server-install
Commit message (Collapse)AuthorAgeFilesLines
* Convert installation tools to platform-independent access to system servicesAlexander Bokovoy2011-09-131-5/+6
| | | | http://fedorahosted.org/freeipa/ticket/1605
* Fix permissions in installersMartin Kosek2011-09-071-17/+17
| | | | | | | | Fix permissions for (configuration) files produced by ipa-server-install or ipa-client-install. This patch is needed when root has a umask preventing files from being world readable. https://fedorahosted.org/freeipa/ticket/1644
* Improve man pages structureMartin Kosek2011-09-071-55/+69
| | | | | | | | | | | | | | | | There are too many options in ipa-*-install scripts which makes it difficult to read. This patch adds subsections to install script online help and man pages to improve readability. No option has been changed. To further improve man pages: 1) All man pages were changed to have the same header and top-center title to provide united look. 2) Few typos in man pages have been fixed https://fedorahosted.org/freeipa/ticket/1687
* Let Bind track data changesMartin Kosek2011-08-311-1/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Integrate new bind-dyndb-ldap features to automatically track DNS data changes: 1) Zone refresh Set --zone-refresh in installation to define number of seconds between bind-dyndb-ldap polls for new DNS zones. User now doesn't have to restart name server when a new zone is added. 2) New zone notifications Use LDAP persistent search mechanism to immediately get notification when any new DNS zone is added. Use --zone-notif install option to enable. This option is mutually exclusive with Zone refresh. To enable this functionality in existing IPA installations, update a list of arguments for bind-dyndb-ldap in /etc/named.conf. An example when zone refresh is disabled and DNS data change notifications (argument psearch of bind-dyndb-ldap) are enabled: dynamic-db "ipa" { ... arg "zone_refresh 0"; arg "psearch yes"; }; This patch requires bind-dyndb-ldap-1.0.0-0.1.b1 or later. https://fedorahosted.org/freeipa/ticket/826
* Add common is_installed() fn, better uninstall logging, check for errors.Rob Crittenden2011-08-291-2/+25
| | | | | | | | | | | | | | The installer and ipactl used two different methods to determine whether IPA was configured, unify them. When uninstalling report any thing that looks suspicious and warn that a re-install may fail. This includes any remaining 389-ds instances and any state or files that remains after all the module uninstallers are complete. Add wrappers for removing files and directories to log failures. https://fedorahosted.org/freeipa/ticket/1715
* Verify that the external CA certificate files are correct.Jan Cholasta2011-08-231-6/+41
| | | | ticket 1572
* Add option to install without the automatic redirect to the Web UI.Jan Cholasta2011-08-181-2/+4
| | | | ticket 1570
* Verify that passwords specified through command line options of ↵Jan Cholasta2011-08-181-0/+5
| | | | | | ipa-server-install meet the length requirement. ticket 1621
* Make sure messagebus is running prior to starting certmonger.Jan Cholasta2011-08-181-2/+0
| | | | ticket 1580
* Ask for reverse DNS zone information in attended install right after asking ↵Jan Cholasta2011-08-091-11/+10
| | | | | | for DNS forwarders, so that DNS configuration is done in one place. ticket 1522
* Re-arrange CA configuration code to reduce the number of restarts.Rob Crittenden2011-08-031-3/+0
| | | | | | | | Ade Lee from the dogtag team looked at the configuration code and determined that a number of restarts were not needed and recommended re-arranging other code to reduce the number of restarts to one. https://fedorahosted.org/freeipa/ticket/1555
* Clean up existing DN object usageJohn Dennis2011-07-291-3/+3
|
* Fix external CA install.Jan Cholasta2011-07-261-25/+34
| | | | ticket 1523
* Clean up of IP address checks in install scripts.Jan Cholasta2011-07-191-18/+4
| | | | | | Fixes ipa-dns-install incorrect warning. ticket 1486
* Use information from the certificate subject when setting the NSS nickname.Rob Crittenden2011-07-171-1/+1
| | | | | | | | | | | There were a few places in the code where certs were loaded from a PKCS#7 file or a chain in a PEM file. The certificates got very generic nicknames. We can instead pull the subject from the certificate and use that as the nickname. https://fedorahosted.org/freeipa/ticket/1141
* Validate that the certificate subject base is in valid DN format.Rob Crittenden2011-07-171-1/+26
| | | | https://fedorahosted.org/freeipa/ticket/1176
* Fix creation of reverse DNS zones.Jan Cholasta2011-07-151-15/+21
| | | | | | | | | | | | | Create reverse DNS zone for /24 IPv4 subnet and /64 IPv6 subnet by default instead of using the netmask from the --ip-address option. Custom reverse DNS zone can be specified using new --reverse-zone option, which replaces the old --ip-address netmask way of creating reverse zones. The reverse DNS zone name is printed to the user during the install. ticket 1398
* Verify that the hostname is fully-qualified before accessing the service ↵Jan Cholasta2011-06-241-8/+7
| | | | | | | | | information in ipactl. Fail gracefully if the supplied hostname isn't fully-qualified in ipa-server-install. ticket 1035
* Let the framework be able to override the hostname.Rob Crittenden2011-06-231-1/+2
| | | | | | | | | | | | | | | | | | The hostname is passed in during the server installation. We should use this hostname for the resulting server as well. It was being discarded and we always used the system hostname value. Important changes: - configure ipa_hostname in sssd on masters - set PKI_HOSTNAME so the hostname is passed to dogtag installer - set the hostname when doing ldapi binds This also reorders some things in the dogtag installer to eliminate an unnecessary restart. We were restarting the service twice in a row with very little time in between and this could result in a slew of reported errors, though the server installed ok. ticket 1052
* Fix IPA install for secure umaskMartin Kosek2011-06-211-12/+16
| | | | | | | | Make sure that IPA can be installed with root umask set to secure value 077. ipa-server-install was failing in DS configuration phase when dirsrv tried to read boot.ldif created during installation. https://fedorahosted.org/freeipa/ticket/1282
* The IP address provided to ipa-server-install must be localRob Crittenden2011-06-201-1/+1
| | | | | | | Compare the configured interfaces with the supplied IP address and optional netmask to determine if the interface is available. https://fedorahosted.org/freeipa/ticket/1175
* Improve IP address handling in IPA option parserMartin Kosek2011-06-191-2/+3
| | | | | | | | | | | Implements a way to pass match_local and parse_netmask parameters to IP option checker. Now, there is just one common option type "ip" with new optional attributes "ip_local" and "ip_netmask" which can be used to pass IP address validation parameters. https://fedorahosted.org/freeipa/ticket/1333
* Do better detection on status of CA DS instance when installing.Rob Crittenden2011-06-131-4/+4
| | | | | | | | | The conditional used to determine if thd CA 389-ds instance was already configured was rather poor so it was possible to pass command-line arguments in to confuse it. This would cause it to not be installed at all causing the dogtag installation to fail in a strange way. https://fedorahosted.org/freeipa/ticket/1244
* IPA installation with --no-host-dns failsMartin Kosek2011-06-101-6/+15
| | | | | | | | | | | | --no-host-dns option should allow installing IPA server on a host without a DNS resolvable name. Update parse_ip_address and verify_ip_address functions has been changed not to return None and print error messages in case of an error, but rather let the Exception be handled by the calling routine. https://fedorahosted.org/freeipa/ticket/1246
* Fix external CA installationRob Crittenden2011-06-091-2/+2
| | | | | | | | When re-creating the CADS instance it needs to be more fully-populated so we have enough information to create an SSL certificate and move the principal to a real entry. https://fedorahosted.org/freeipa/ticket/1245
* Honor netmask in DNS reverse zone setup.Jan Cholasta2011-05-301-1/+2
| | | | ticket 910
* Parse netmasks in IP addresses passed to server install.Jan Cholasta2011-05-301-19/+17
| | | | ticket 1212
* Fix reverse zone creation in ipa-replica-prepareMartin Kosek2011-05-271-22/+7
| | | | | | | | | When a new reverse zone was created in ipa-replica-prepare (this may happen when a new replica is from different subnet), the master DNS address was corrupted by invalid A/AAAA record. This caused problems for example in installing replica. https://fedorahosted.org/freeipa/ticket/1223
* Properly handle --no-reverse being passed on the CLI in interactive modeRob Crittenden2011-05-121-3/+7
| | | | | | | If installing in interactive mode and --no-reverse is passed then the reverse zone was still being created. ticket 1152
* Forbid reinstallation in ipa-client-installMartin Kosek2011-04-291-1/+2
| | | | | | | | | | | | The --force option may be misused to reinstall an existing IPA client. This is not supported and may lead to unexpected errors. When required, the cleanest way to re-install IPA client is to run uninstall and then install again. This patch also includes few cosmetic changes in messages to user to provide more consistent user experience with the script. https://fedorahosted.org/freeipa/ticket/1117
* Ensure that the zonemgr passed to the installer conforms to IA5String.Rob Crittenden2011-04-261-1/+12
| | | | ticket 1164
* Fix lint false positives.Jan Cholasta2011-04-131-1/+1
|
* Fix typo in ipa-server-install.Jan Cholasta2011-04-081-1/+1
|
* Fix SELinux errors caused by enabling TLS on dogtag 389-ds instance.Rob Crittenden2011-03-151-9/+5
| | | | | | | | | | | | | | | | This fixes 2 AVCS: * One because we are enabling port 7390 because an SSL port must be defined to use TLS On 7389. * We were symlinking to the main IPA 389-ds NSS certificate databsae. Instead generate a separate NSS database and certificate and have certmonger track it separately I also noticed some variable inconsistency in cainstance.py. Everywhere else we use self.fqdn and that was using self.host_name. I found it confusing so I fixed it. ticket 1085
* Use TLS for dogtag replication agreements.Rob Crittenden2011-03-101-1/+15
| | | | | | | | Configure the dogtag 389-ds instance with SSL so we can enable TLS for the dogtag replication agreements. The NSS database we use is a symbolic link to the IPA 389-ds instance. ticket 1060
* chkconfig the ipa service off when it is uninstalled.Rob Crittenden2011-03-081-0/+2
| | | | ticket 1056
* Skip DNS validation checks if we're setting up DNS in ipa-server-install.Rob Crittenden2011-03-041-0/+4
| | | | | | | If we're going to be authoritative ourselves don't bother with what other DNS servers think. ticket 1036
* Use ldapi: instead of unsecured ldap: in ipa core tools.Pavel Zuna2011-03-031-4/+6
| | | | | | The patch also corrects exception handling in some of the tools. Fix #874
* Inconsistent sysrestore file handling by IPA server installerMartin Kosek2011-03-031-2/+2
| | | | | | | | | | | | IPA server/replica uninstallation may fail when it tries to restore a Directory server configuration file in sysrestore directory, which was already restored before. The problem is in Directory Server uninstaller which uses and modifies its own image of sysrestore directory state instead of using the common uninstaller image. https://fedorahosted.org/freeipa/ticket/1026
* IPA replica/server install does not check for a clientMartin Kosek2011-03-031-0/+5
| | | | | | | | | | | When IPA replica or server is configured it does not check for possibly installed client. This will cause the installation to fail in the very end. This patch adds a check for already configured client and suggests removing it before server/replica installation. https://fedorahosted.org/freeipa/ticket/1002
* Fixed in ipa-server-install help and man pageJan Zeleny2011-02-181-1/+1
| | | | https://fedorahosted.org/freeipa/ticket/831
* Refresh state data before removing the dirsrv user, fixes uninstall.Rob Crittenden2011-02-071-0/+1
| | | | | | | | | The state is read only at initialization time. This works ok when individual services remove their state data but when worked upon again at the top-level it still has the full state in memory, so when the state file is re-written all of the data that was removed is re-added. ticket 916
* ipa-server-install inconsistent capitalizationMartin Kosek2011-02-031-3/+3
| | | | | | | | | A cosmetic patch to IPA server installation output aimed to make capitalization in installer output consistent. Several installation tasks started with a lowercase letter and several installation task steps started with an uppercase letter. https://fedorahosted.org/freeipa/ticket/776
* Fix installing with an external CA and wait for dogtag to come upRob Crittenden2011-02-011-10/+40
| | | | | | | | | | | | | | | | | | | | | There wasn't an exception in the "is the server already installed" check for a two-stage CA installation. Made the installer slightly more robust. We create a cache file of answers so the next run won't ask all the questions again. This cache is removed when the installation is complete. Previously nothing would work if the installer was run more than once, this should be fixed now. The cache is encrypted using the DM password. The second problem is that the tomcat6 init script returns control before the web apps are up. Add a small loop in our restart method to wait for the 9180 port to be available. This also adds an additional restart to ensure that nonces are disabled. ticket 835 revise
* Use a common group for all DS instancesSimo Sorce2011-01-311-53/+49
| | | | | | | | Also remove the option to choose a user. It is silly to keep it, when you can't choose the group nor the CA directory user. Fixes: https://fedorahosted.org/freeipa/ticket/851
* Don't perform some API self-tests in production mode for performance reasonsRob Crittenden2011-01-281-0/+1
| | | | | | | | | | | | The API does a fair number of self tests and locking to assure that the registered commands are consistent and will work. This does not need to be done on a production system and adds additional overhead causing somewhere between a 30 and 50% decrease in performance. Because makeapi is executed when a build is done ensure that it is executed in developer mode to ensure that the framework is ok. ticket 751
* Make the -u option optional in unattended modeSimo Sorce2011-01-241-8/+11
| | | | Fixes: https://fedorahosted.org/freeipa/ticket/836
* Remove trailing spaceSimo Sorce2011-01-241-1/+1
|
* Create the reverse zone by defaultJakub Hrozek2011-01-071-2/+12
| | | | | | A new option to specify reverse zone creation for unattended installs https://fedorahosted.org/freeipa/ticket/678
* Allow ipa-dns-install to install with just admin credentialsSimo Sorce2011-01-071-1/+0
| | | | | | | Do this by creating a common way to attach to the ldap server for each instance. Fixes: https://fedorahosted.org/freeipa/ticket/686
generated by cgit (git 2.34.1) at 2024-04-26 03:26:43 +0000